DDoS attacks are one of the most common forms of cyber threat activity on the net. They can be deployed by the most dangerous state-sponsored actors and the hobby hacker alike, taking on several different forms. Over the decades we've seen DDoS attacks evolve from rudimentary volumetric attacks, designed to knock sites offline, into far more complex and malicious threats.
With the internet having reached its mid-20s, it's about time for some maturity to enter the arena when it comes to solving this problem. While we may never be able to fully attribute the blame for why DDoS still causes millions in damage every year, we do need to question the role that service providers have in mitigating the threat.
The responsibility in many cases lies with hosting providers and ISPs--something I explain to consultants with a simple analogy:
Imagine running a bath and seeing that a quarter of the water coming through the tap was contaminated. When the bill from the water company came, I don't imagine anyone being too happy paying for a contaminated supply. People can justifiably look at their Internet service in the same way.
If a hosting provider isn't providing effective DDoS mitigation as a part of its service offering they may send useless and potentially harmful traffic across their customers' networks. If folks refuse to pay the water company for contaminated water, why are so many companies paying for a similar situation with their hosting and service providers?
With Internet traffic, there's the problem that customers can't accurately visualise all the traffic flowing across their network and analysing it is far too big a job for existing staff to handle. Whether it's a sub-saturation attack designed to explore or weaken certain aspects of a network, or a huge flood attempting to knock the whole place offline, customers aren't able to hold providers to account in quite the same way, despite the second-rate service they may be receiving.
The legacy solution for hosting providers was to black-hole traffic i.e. if a suspected DDoS attack was taking place, traffic would be sent to an IP location that doesn't exist. However this also sends the good traffic to said nonexistent IP location, meaning these legitimate users can't visit the site or service they were hoping to--costing the business money and customers. This is doing the attackers' work for them, whereby the site is rendered out of use due to the DDoS attack, even after the attack itself has...